The company waited 320 days—nearly 11 months—to warn victims.

by Compass Vermont

A major technology supplier for state lotteries, including Vermont’s, suffered a massive data breach in late 2024, compromising the most sensitive personal information of over 100,000 people. But the most alarming failure was the company’s decision to wait nearly a year before notifying victims. This 320-day delay left Vermonters completely unaware that their Social Security numbers, driver’s license details, financial accounts, and even private health information were in the hands of criminals, putting them at silent risk for months.

The company, Brightstar Global Solutions, a newly rebranded division of lottery giant IGT, blatantly violated a Vermont law that requires residents to be notified within 45 days. Now, as notification letters finally arrive, affected Vermonters are scrambling to protect themselves from a lifetime of potential fraud, and the incident raises serious questions about how the state protects citizen data when it hires outside companies.

A Treasure Trove of Stolen Data

The security failure at Brightstar gave cybercriminals a complete “kit” for identity theft. According to the company’s own filings with state attorneys general, the breach began on or around November 10, 2024, and the company discovered the intrusion just one week later, on November 17, 2024.

Hackers stole a highly toxic combination of personal data, including:

• Core Identity Information: Full names, dates of birth, and home addresses.
• Government Identifiers: Social Security numbers and driver’s license numbers.
• Financial Data: Bank account information.
• Protected Health Information: Private health data and insurance details.

While Brightstar filed a notice with the Vermont Attorney General’s Office in early October 2025, the company has not publicly disclosed the exact number of Vermonters whose information was stolen. We know the breach had a significant impact on New England, affecting over 6,300 residents in Rhode Island and nearly 550 in Connecticut, according to reports from those states. The presence of health data is particularly unusual for a lottery vendor and suggests the breach may have involved sensitive employee or prize winner background check files.

An Inexcusable and Illegal Delay

The most critical failure in this saga is the timeline. Vermont’s Security Breach Notice Act is clear: companies must notify the Attorney General within 14 business days and consumers within 45 days of discovering a breach. This law exists to give Vermonters a fighting chance to protect themselves before criminals can do serious damage.

Brightstar ignored this mandate. The following table starkly illustrates the violation by comparing the company’s actions to Vermont’s legal deadlines.

The company waited 320 days—nearly 11 months—to warn victims. In its official statements, Brightstar blamed the delay on the “complex and unstructured nature of the impacted data,” which it claims required a lengthy manual review.

However, from a data security standpoint, this is not a justification but an admission of gross negligence. It reveals that the company was likely storing Vermonters’ most sensitive information in a disorganized and unsecured manner. This internal failure to manage data properly directly led to the 277-day internal review, creating a massive window of opportunity for criminals to use the stolen information undetected. The company has offered no evidence that law enforcement requested the delay—the only exception allowed under Vermont law.

What This Means for You and Your Family

For affected Vermonters, the consequences are direct, personal, and could last a lifetime. The stolen data can be used for far more than just credit card fraud. Here’s a breakdown of the specific threats posed by the stolen data:

Compromised Data ElementPrimary Risk(s) for Vermonters

Social Security Number + Name + DOB – Foundational identity theft, fraudulent tax returns, opening new credit/bank accounts, applying for government benefits.

Driver’s License Number – Physical impersonation, bypassing identity verification checks, secondary ID for fraudulent account opening.

Financial Account Information – Direct financial theft, unauthorized withdrawals, fraudulent purchases.

Health Data / Health Insurance – Medical identity theft (fraudulent claims, obtaining prescriptions), corruption of personal health records, targeted phishing.

Contact Information – Vector for sophisticated phishing, smishing, and social engineering attacks; harassment.

In response, Brightstar is offering 24 months of identity monitoring services through Kroll. While you should absolutely sign up for this service, it is not enough. Your Social Security number is permanent. Criminals often wait years, long after free monitoring services expire, to use stolen data. The two-year offer shifts the lifelong burden of vigilance from the company that failed onto you, the victim.

This incident also erodes trust in the Vermont Lottery itself. The lottery’s proceeds are dedicated to the state’s Education Fund, an operation that depends on public confidence. When a key partner fails so spectacularly to protect citizen data and obey the law, it tarnishes the entire system.

What You Must Do Now to Protect Yourself

If you received a notification letter, or even if you suspect you might be affected, it is critical to take immediate action beyond what the company offered.

1. Place a Security Freeze on Your Credit. This is the single most effective step. A freeze restricts access to your credit report, making it very difficult for thieves to open new accounts in your name. You must do this separately with all three credit bureaus: Equifax, Experian, and TransUnion.
2. Scrutinize Your Medical Records. Contact your healthcare providers and insurers. Request a copy of your records and review your “Explanation of Benefits” statements carefully. Look for any doctors’ visits, prescriptions, or procedures you don’t recognize.
3. Activate Multi-Factor Authentication (MFA). Enable this extra layer of security on all your important online accounts, especially banking, email, and retirement accounts.
4. Stay Vigilant Against Scams. Be extremely suspicious of any unexpected email, text message, or phone call asking for personal information, even if they seem to know details about you.
5. Keep All Documents. Save the breach notification letter and any notes or records of time and money you spend dealing with potential fraud. This will be important for any future legal action.

The Bigger Picture: Holding Companies Accountable

The Brightstar data breach is a textbook example of the risk Vermonters face when state agencies outsource critical functions. It highlights a clear need for stronger oversight and stricter accountability.

The State of Vermont must use this incident as a catalyst for change. This includes writing ironclad security and immediate notification requirements into all vendor contracts and empowering the Attorney General’s Office to pursue the maximum possible penalties for violations. The message must be sent loud and clear: protecting Vermonters’ data is a non-negotiable duty, and companies that fail will face severe consequences. For now, the burden falls on individuals to clean up the mess left by a company that failed to protect their data and failed to tell them about it in time.